update doc

Signed-off-by: Huabing Zhao <[email protected]>
envoyproxy · Aug 27, 2024 · 250b1cc · 250b1cc
1 parent 9422e71
commit 250b1cc
Show file tree

Hide file tree

Showing 8 changed files with 33 additions and 11 deletions.
diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go
@@ -42,7 +42,8 @@ type OIDC struct {
 	// If set, the cookies will be set on the specified domain and all subdomains.
 	// This means that requests to any subdomain will not require reauthentication after users log in to the parent domain.
 	// +optional
-	// +kubebuilder:validation:Pattern=`^[a-z0-9.]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$`
+	// +notImplementedHide
+	// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$`
 	CookieDomain *string `json:"cookieDomain,omitempty"`
 
 	// The OIDC scopes to be used in the

diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -2055,7 +2055,7 @@ spec:
                       If not set, the cookies will default to the host of the request, not including the subdomains.
                       If set, the cookies will be set on the specified domain and all subdomains.
                       This means that requests to any subdomain will not require reauthentication after users log in to the parent domain.
-                    pattern: ^[a-z0-9.]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$
                     type: string
                   cookieNames:
                     description: |-

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml
@@ -132,4 +132,4 @@ securityPolicies:
       defaultTokenTTL: 1h
       refreshToken: true
       defaultRefreshTokenTTL: 48h
-      cookieDomain: ".example.com"
+      cookieDomain: "example.com"
diff --git a/internal/xds/translator/testdata/in/xds-ir/oidc.yaml b/internal/xds/translator/testdata/in/xds-ir/oidc.yaml
@@ -73,4 +73,4 @@ http:
         cookieNameOverrides:
           idToken: "CustomIdTokenOverride"
           accessToken: "CustomAccessTokenOverride"
-        cookieDomain: ".example.com"
+        cookieDomain: "example.com"
diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml
@@ -73,7 +73,7 @@
               authorizationEndpoint: https://oauth.bar.com/oauth2/v2/auth
               credentials:
                 clientId: client.oauth.bar.com
-                cookieDomain: .example.com
+                cookieDomain: example.com
                 cookieNames:
                   bearerToken: CustomAccessTokenOverride
                   idToken: CustomIdTokenOverride

diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
@@ -2478,7 +2478,6 @@ _Appears in:_
 | `clientID` | _string_ |  true  | The client ID to be used in the OIDC<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
 | `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ |  true  | The Kubernetes secret which contains the OIDC client secret to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br /><br />This is an Opaque secret. The client secret should be stored in the key<br />"client-secret". |
 | `cookieNames` | _[OIDCCookieNames](#oidccookienames)_ |  false  | The optional cookie name overrides to be used for Bearer and IdToken cookies in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />If not specified, uses a randomly generated suffix |
-| `cookieDomain` | _string_ |  false  | The optional domain to set the access and ID token cookies on.<br />If not set, the cookies will default to the host of the request, not including the subdomains.<br />If set, the cookies will be set on the specified domain and all subdomains.<br />This means that requests to any subdomain will not require reauthentication after users log in to the parent domain. |
 | `scopes` | _string array_ |  false  | The OIDC scopes to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />The "openid" scope is always added to the list of scopes if not already<br />specified. |
 | `resources` | _string array_ |  false  | The OIDC resources to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
 | `redirectURL` | _string_ |  true  | The redirect URL to be used in the OIDC<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" |

diff --git a/site/content/en/latest/tasks/security/oidc.md b/site/content/en/latest/tasks/security/oidc.md
@@ -97,7 +97,7 @@ providers, including Auth0, Azure AD, Keycloak, Okta, OneLogin, Salesforce, UAA,
 
 Follow the steps in the [Google OIDC documentation][google-oidc] to register an OIDC application. Please make sure the
 redirect URL is set to the one you configured in the SecurityPolicy that you will create in the step below. In this example,
-the redirect URL is `http://www.example.com:8443/myapp/oauth2/callback`.
+the redirect URL is `https://www.example.com:8443/myapp/oauth2/callback`.
 
 After registering the application, you should have the following information:
 * Client ID: The client ID of the OIDC application.
@@ -221,7 +221,7 @@ If you haven't registered an OIDC application, follow the steps in the previous
 
 If you haven't created a kubernetes secret, follow the steps in the previous section to create a kubernetes secret.
 
-### Create another HTTPRoute
+### Create an HTTPRoute with a different subdomain
 
 Let's create another HTTPRoute in the same Gateway, but with a different subdomain.
 
@@ -355,17 +355,40 @@ Verify the SecurityPolicy configuration:
 kubectl get securitypolicy/oidc-example -o yaml
 ```
 
+### Update the Listener TLS certificate to support multiple subdomains
+
+Create a multi-domain wildcard certificate for `*.example.com`.
+
+```shell
+openssl req -out wildcard.csr -newkey rsa:2048 -nodes -keyout wildcard.key -subj "/CN=*.example.com/O=example organization"
+openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in wildcard.csr -out wildcard.crt
+```
+
+Replace the TLS certificate of the Gateway with the wildcard certificate.
+
+```shell
+kubectl delete secret example-cert
+kubectl create secret tls example-cert --key=wildcard.key --cert=wildcard.crt
+```
+
 ### Testing
 
 If you haven't done so, follow the steps in the previous section to port forward gateway port to localhost and put
 www.example.com in the /etc/hosts file in your test machine.
 
+Also, put foo.example.com in the /etc/hosts file in your test machine.
+
+```shell
+...
+127.0.0.1 foo.example.com
+```
+
 Open a browser and navigate to the `https://www.example.com:8443/myapp` address. You should be redirected to the Google
 login page. After you successfully login, you should see the response from the backend service.
 
 You can also try to access `https://foo.example.com:8443` and `https://www.example.com:8443/bar` addresses. You should
-be able to see the response from the backend service since these HTTPRoutes are protected by the same OIDC policy and
-the ID token cookie is shared across subdomains.
+be able to see the response from the backend service since these HTTPRoutes are also protected by the same OIDC config,
+and the ID token cookie is shared across subdomains.
 
 ## Clean-Up
 

diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md
@@ -2478,7 +2478,6 @@ _Appears in:_
 | `clientID` | _string_ |  true  | The client ID to be used in the OIDC<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
 | `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ |  true  | The Kubernetes secret which contains the OIDC client secret to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br /><br />This is an Opaque secret. The client secret should be stored in the key<br />"client-secret". |
 | `cookieNames` | _[OIDCCookieNames](#oidccookienames)_ |  false  | The optional cookie name overrides to be used for Bearer and IdToken cookies in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />If not specified, uses a randomly generated suffix |
-| `cookieDomain` | _string_ |  false  | The optional domain to set the access and ID token cookies on.<br />If not set, the cookies will default to the host of the request, not including the subdomains.<br />If set, the cookies will be set on the specified domain and all subdomains.<br />This means that requests to any subdomain will not require reauthentication after users log in to the parent domain. |
 | `scopes` | _string array_ |  false  | The OIDC scopes to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />The "openid" scope is always added to the list of scopes if not already<br />specified. |
 | `resources` | _string array_ |  false  | The OIDC resources to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
 | `redirectURL` | _string_ |  true  | The redirect URL to be used in the OIDC<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" |